Security in accessing and transmitting information is as crucial as security to protect physical possessions. Conventional security devices, such as number locks, may include devices that control access based on possession of a virtual “key,” such as in the form of private information (e.g., a passcode). A passcode is a combination of a sequence of characters, such as letters, numbers, special characters, or any combination thereof. In the digital realm, passcode-based locks are emulated by digital passcode-based security devices, such as by an automatic teller machine (ATM) key pad or a debit card personal identification number (PIN) key pad. These digital passcode-based security devices are generally specialized hardware devices (i.e., lacking a general purpose operating system/kernel to run different functional components) that control access to a system based on a user's knowledge of a passcode. Conventional digital passcode-based security devices are implemented on specialized devices because, among other reasons, any general-purpose device may enable installations of malware (i.e., software design for the purpose of overcoming security without authorization).
For example, in a conventional point-of-sale electronic payment card transaction, e.g., by a debit card or smart card such as a Europay, MasterCard, and Visa (EMV) card, a cardholder's identity and/or authenticity is confirmed by requiring an entry of a PIN rather than or in addition to signing a paper receipt. A user can enter a PIN on a specialized card reader. The card reader then retrieves a PIN from the smart card. The PIN entered by a user is then compared against the retrieved PIN from the smart card. Authorization of the use of the card can be granted based on the entered PIN matching the retrieved PIN.
The example above uses a specialized device to authorize a user instead of a general-purpose device, which has an operating system enabling any third party applications to run thereon. A general-purpose device enables ease of implementation of security sensitive applications. The ability to use general-purpose devices to implement a passcode-based authentication system enables merchants and consumers who wish to use or implement a secured authentication system to use devices they already own for that purpose. However, making the card reader part of a general-purpose device may be unfeasible because of inability to defend against malware's installation on the same general-purpose device. A particular form of malware is a key logging application. A key logging application may attempt to record a passcode on the general-purpose device. This type of attack may be referred to as “passcode logging.” Unlike malwares that directly attack a passcode entry application, the key logging malware may monitor an input device for a time period without detection in an attempt to obtain the passcode. The threat of key logging malware serves as yet another obstacle to use of a general-purpose device as a security device to protect information and access, particularly in the context of processing a payment by use of a payment card.
The figures depict various embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.